Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected by a stealth agent, or updated version of flame.


  • Please log in to reply
1 reply to this topic

#1 JustaNoob

JustaNoob

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 12 August 2012 - 09:59 PM

Ok so I'm almost positive I have something larking in my system. What ever it is, it is sneaky. I have ran numerous Premium Anti-Virus software. Malware bytes free 30 day trial, Found Nothing. AVG 2012 Total Internet Security, found nothing. Avira AntiVirus 2012 Premium, found nothing. Bitdefender 2012 Total Security, found nothing. I have tried using Rkill to stop the malware and did rescan, all found nothing. Eset online scanner, found nothing. Bitdefender 2012 Rescue CD (CD boots system into linux), even with linux, still found nothing. I even used the BD flame virus scanner. I think it might be a new variant of the flame virus. I noticed for some odd reason, my windows updates seem to work while I'm offline. I had no internet connection, I had just used ccleaner to delete some regkeys I believed to be suspicious. I rebooted my computer to see if the regkeys came back, they stayed gone. Then my windows update says I have 3 new updates to install. Well, I disabled my internet long before the reboot. There was no windows update message before I deleted those regkeys and rebooted. There was No internet connection after I rebooted, so how can windows tell me I have 3 updates to install? Am I missing something?

Also, I went to bed and my desktop was normal. I wake up, and for some reason I have a new short cut on my desktop. It's the Network short cut. That's what got me suspicious in the first place. Then 3 days later it disappears by itself. I never touched nor did I delete it, but it's gone. Also, I had VUZE installed. I didn't use it much after I got threatened by my ISP. They are REALLY cracking down on piracy now. My ISP told me they received reports that I was distributing pirated software, and after monitoring my network believe that I violated there ToS. Well anyways, I decide to use VUZE and see if I can't find cracked version of something. (I know I shouldn't use cracked software) But when Vuze loaded, it was downloading some win_ada2 or something like that. I never downloaded that. It gets weirder though. When I go to investigate it, Vuze shut down. When I reloaded Vuze, the download and all traces of it were gone. Just vanished. So I immediately uninstalled Vuze. Only problem is the Vuze ToolBar will NOT uninstall. Also, I can NOT get LogMeInHamachi to uninstall.

Also, I found a file named "MBR.exe". I know it stands for masterbootrecord, and ofc it's an executable. I didn't run it. Although, I did right click and check it's properties. That's when something weird happened again. When the properties opened and I clicked security tab, there was an Unknown User account present. He was set to "Special Permissions". I immediately clicked deny on all permissions then next thing you know the unknown user account disappears. Also, the file size went crazy when I first opened the properties. The file size went from like 20kb to over 2gb in like 2 seconds, then went back to normal. I have NEVER seen a file change size like that by going into properties. Also, when I right click on HiJackThis I no longer have the "Run as admin" feature. So I can't run it as admin to see all the hidden regkeys. Although, I do have sysinternals Regedit. Which shows all the HK and hidden reg entries. Also, in my programs tab I have all kinds of Server 2008 C++ redistributed etc 15 of them to be exact.... I only had 3 to start. I believe I may have some legit named programs that aren't legit. Also, when I used ccleaner the last time I was only online for like 2 mins. I shut down internet again then did another ccleaner. Well in the downloads it said I downloaded MySQL something. I never downloaded that. And I just cleaned it before I took it online, so there was nothing in the DL section. Don't know if that's normal but thought I'd mention it.

I am running windows 7 64bit Home Premium. Which restricts me from using certain removal tools efficiently. Also the "Run As Admin" doesn't show up when i right click on malware bytes, and HiJackThis. I think the attacker restricted my privs to those programs. Once he realized I was getting suspicious.

There was only one Program that told me I had multiple Viruses. It said my explorer.exe was infected, my notepad was infected. and like 20 other windows files. That program was RegRun. Although it would not remove the programs. It would attempt to, but every reboot, it would find same detections. So I could have a mean RootKit also. Any Ideas?

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:34 AM

Posted 12 August 2012 - 10:57 PM

WARNING :- RegRun is a Registry Cleaner ??? Program that will never repair your system -

RegRun Security Suite - Not an antivirus.

From their own site
Do not use any Registry Cleaners or alter your system any more so the Malware Removal Experts can review your case




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users